From: Wietse Venema Date: Sun, 17 Jun 2012 05:00:00 +0000 (-0500) Subject: postfix-2.10-20120617 X-Git-Tag: v2.10.0-RC1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fe49cc9659ca635a564772f62ac01f8ba7687e9;p=thirdparty%2Fpostfix.git postfix-2.10-20120617 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 924820c92..57ab40cc4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -17799,3 +17799,15 @@ Apologies for any names omitted. command must wait until its requests have reached the pickup and qmgr servers before closing the UNIX-domain request sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in. + +20120522 + + Robustness: set LC_ALL=C in post-install to avoid surprises + when parsing output from Postfix or non-Postfix commands. + File: postfix-install. + +20120611 + + Bugfix (introduced: 20031216-21): with soft_bounce=yes, the + SMTP client did not move on to the next MX host or fallback + relay after a 5xx reply. File: smtp/smtp_trouble.c. diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 4838b619d..d5dad128e 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -4,10 +4,12 @@ PPoossttffiixx PPoossttssccrreeeenn HHoowwttoo IInnttrroodduuccttiioonn -The Postfix postscreen(8) server performs triage on multiple inbound SMTP -connections at the same time. While a single postscreen(8) process keeps -zombies away from Postfix SMTP server processes, more Postfix SMTP server -processes remain available for legitimate clients. +The Postfix postscreen(8) daemon provides additional protection against mail +server overload. One postscreen(8) process handles multiple inbound SMTP +connections, and decides which clients may talk to a Postfix SMTP server +process. By keeping spambots away, postscreen(8) leaves more SMTP server +processes available for legitimate clients, and delays the onset of server +overload conditions. postscreen(8) maintains a temporary whitelist for clients that pass its tests; by allowing whitelisted clients to skip tests, postscreen(8) minimizes its @@ -767,3 +769,10 @@ for sites that require TLS support. The implementation introduces the tlsproxy (8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple SMTP clients. +The tlsproxy(8) implementation led to the discovery of a "new" class of +vulnerability (CVE-2011-0411) that affected multiple implementations of TLS +over SMTP, POP, IMAP, NNTP, and FTP. + +postscreen(8) was officially released as part of the Postfix 2.8 stable release +in January 2011. + diff --git a/postfix/README_FILES/STRESS_README b/postfix/README_FILES/STRESS_README index 03cc9952e..8e61d3318 100644 --- a/postfix/README_FILES/STRESS_README +++ b/postfix/README_FILES/STRESS_README @@ -384,11 +384,11 @@ accept remote connections. OOtthheerr mmeeaassuurreess ttoo ooffff--llooaadd zzoommbbiieess The postscreen(8) daemon, introduced with Postfix 2.8, provides additional -protection against mail server overload. One postscreen(8) process handles all -connections from "new" SMTP clients, and allows only well-behaved clients to -talk to a Postfix SMTP server process. By keeping spambots away, postscreen(8) -leaves more SMTP server processes available for legitimate clients, and delays -the onset of server overload conditions. +protection against mail server overload. One postscreen(8) process handles +multiple inbound SMTP connections, and decides which clients may to talk to a +Postfix SMTP server process. By keeping spambots away, postscreen(8) leaves +more SMTP server processes available for legitimate clients, and delays the +onset of server overload conditions. CCrreeddiittss diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 4bfb30700..8f9941d39 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -12,6 +12,19 @@ Wish list: Make "rename" the default when postmapping a DB file (later: use copy+rename for postmap -i, postmap -d). + "no-cache" option for selected postscreen tests? + + Need primitive to find out if a map has a local lock. If + it doesn't (like memcache or proxied map), then postscreen + etc. don't need to close a cache after "postfix reload". + After a fork() it is OK to keep using a memcache or proxymap + handle, because the parent exits immediately. + + Different TTL values for different DNSBL sources? + + Replace master(8) SIGHUP by very simple socket protocol to + allow reload of a specific service. + Make the "trigger" service endpoint type configurable. On non-Solaris systems, switching from fifo to unix can avoid disk spin-up due to mtime changes (Postfix on Solaris @@ -45,7 +58,8 @@ Wish list: need to use attack-resistant code for numeric conversion. move flush_init() etc. from defer service clients to the - bounce daemon? + bounce daemon? Postfix works best when work can be spread + out over many clients, instead of over a few servers. multi_connect() function that takes a list of inet:host:port and/or unix:pathname specs, with an explicit "inet" prefix diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index 44959e8be..e0925efe2 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -17,11 +17,13 @@

Introduction

-

The Postfix postscreen(8) server performs triage on multiple -inbound SMTP connections at the same time. While a single postscreen(8) -process keeps zombies away from Postfix SMTP server processes, more -Postfix SMTP server processes remain available for legitimate -clients.

+

The Postfix postscreen(8) daemon provides additional protection +against mail server overload. One postscreen(8) process handles +multiple inbound SMTP connections, and decides which clients may +talk to a Postfix SMTP server process. By keeping spambots away, +postscreen(8) leaves more SMTP server processes available for +legitimate clients, and delays the onset of server overload conditions.

postscreen(8) maintains a temporary whitelist for clients that pass its tests; by allowing whitelisted clients to skip tests, @@ -1062,6 +1064,15 @@ collect real-world statistics. This version still used the embarrassing implementation introduces the tlsproxy(8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple SMTP clients.

+

The tlsproxy(8) implementation led to the discovery of a "new" +class of vulnerability (CVE-2011-0411) that affected multiple implementations of TLS +over SMTP, POP, IMAP, NNTP, and FTP.

+ +

postscreen(8) was officially released as part of the Postfix +2.8 stable release in January 2011.

+ diff --git a/postfix/html/STRESS_README.html b/postfix/html/STRESS_README.html index 114d882c3..bd4c1b833 100644 --- a/postfix/html/STRESS_README.html +++ b/postfix/html/STRESS_README.html @@ -516,11 +516,11 @@ services that accept remote connections.

The postscreen(8) daemon, introduced with Postfix 2.8, provides additional protection against mail server overload. One postscreen(8) -process handles all connections from "new" SMTP clients, and allows -only well-behaved clients to talk to a Postfix SMTP server process. -By keeping spambots away, postscreen(8) leaves more SMTP server -processes available for legitimate clients, and delays the onset -of server overload conditions.

+process handles multiple inbound SMTP connections, and decides which +clients may to talk to a Postfix SMTP server process. By keeping +spambots away, postscreen(8) leaves more SMTP server processes +available for legitimate clients, and delays the onset of server +overload conditions.

Credits

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 92f10ffea..06f74178d 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -5291,8 +5291,9 @@ the SMTP greeting banner, and in bounced mail.

The UNIX system account that owns the Postfix queue and most Postfix -daemon processes. Specify the name of a user account that does -not share a group with other accounts and that owns no other files +daemon processes. Specify the name of an unprivileged user account +that does not share a user or group ID with other accounts, and that +owns no other files or processes on the system. In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.

diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 036211a01..4ef299d7b 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -13,11 +13,13 @@ POSTSCREEN(8) POSTSCREEN(8) postscreen [generic Postfix daemon options] DESCRIPTION - The Postfix postscreen(8) server performs triage on multi- - ple inbound SMTP connections at the same time. While a - single postscreen(8) process keeps spambots away from - Postfix SMTP server processes, more Postfix SMTP server - processes remain available for legitimate clients. + The Postfix postscreen(8) server provides additional pro- + tection against mail server overload. One postscreen(8) + process handles multiple inbound SMTP connections, and + decides which clients may talk to a Postfix SMTP server + process. By keeping spambots away, postscreen(8) leaves + more SMTP server processes available for legitimate + clients. This program should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deploy- diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 0087dffc6..9b2f6955f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2961,8 +2961,9 @@ The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. .SH mail_owner (default: postfix) The UNIX system account that owns the Postfix queue and most Postfix -daemon processes. Specify the name of a user account that does -not share a group with other accounts and that owns no other files +daemon processes. Specify the name of an unprivileged user account +that does not share a user or group ID with other accounts, and that +owns no other files or processes on the system. In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID. .PP diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8 index cd3a646c7..34dd96274 100644 --- a/postfix/man/man8/postscreen.8 +++ b/postfix/man/man8/postscreen.8 @@ -12,11 +12,12 @@ Postfix zombie blocker .SH DESCRIPTION .ad .fi -The Postfix \fBpostscreen\fR(8) server performs triage on -multiple inbound SMTP connections at the same time. While -a single \fBpostscreen\fR(8) process keeps spambots away -from Postfix SMTP server processes, more Postfix SMTP server -processes remain available for legitimate clients. +The Postfix \fBpostscreen\fR(8) server provides additional +protection against mail server overload. One \fBpostscreen\fR(8) +process handles multiple inbound SMTP connections, and decides +which clients may talk to a Postfix SMTP server process. +By keeping spambots away, \fBpostscreen\fR(8) leaves more +SMTP server processes available for legitimate clients. This program should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, diff --git a/postfix/postfix-install b/postfix/postfix-install index 7f14c03ef..6b2a261a0 100644 --- a/postfix/postfix-install +++ b/postfix/postfix-install @@ -174,6 +174,10 @@ IFS=" " BACKUP_IFS="$IFS" +# This script uses outputs from Postfix and non-Postfix commands. +# Override all LC_* settings and LANG for robustness. +LC_ALL=C; export LC_ALL + USAGE="Usage: $0 [name=value] [option] -non-interactive Do not ask for installation parameters. -package Build a ready-to-install package. diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index e5b960183..6db154b0c 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -17,11 +17,13 @@

Introduction

-

The Postfix postscreen(8) server performs triage on multiple -inbound SMTP connections at the same time. While a single postscreen(8) -process keeps zombies away from Postfix SMTP server processes, more -Postfix SMTP server processes remain available for legitimate -clients.

+

The Postfix postscreen(8) daemon provides additional protection +against mail server overload. One postscreen(8) process handles +multiple inbound SMTP connections, and decides which clients may +talk to a Postfix SMTP server process. By keeping spambots away, +postscreen(8) leaves more SMTP server processes available for +legitimate clients, and delays the onset of server overload conditions.

postscreen(8) maintains a temporary whitelist for clients that pass its tests; by allowing whitelisted clients to skip tests, @@ -1062,6 +1064,15 @@ postscreen(8) usable for sites that require TLS support. The implementation introduces the tlsproxy(8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple SMTP clients.

+

The tlsproxy(8) implementation led to the discovery of a "new" +class of vulnerability (CVE-2011-0411) that affected multiple implementations of TLS +over SMTP, POP, IMAP, NNTP, and FTP.

+ +

postscreen(8) was officially released as part of the Postfix +2.8 stable release in January 2011.

+ diff --git a/postfix/proto/STRESS_README.html b/postfix/proto/STRESS_README.html index d8aed37aa..00f849187 100644 --- a/postfix/proto/STRESS_README.html +++ b/postfix/proto/STRESS_README.html @@ -516,11 +516,11 @@ services that accept remote connections.

The postscreen(8) daemon, introduced with Postfix 2.8, provides additional protection against mail server overload. One postscreen(8) -process handles all connections from "new" SMTP clients, and allows -only well-behaved clients to talk to a Postfix SMTP server process. -By keeping spambots away, postscreen(8) leaves more SMTP server -processes available for legitimate clients, and delays the onset -of server overload conditions.

+process handles multiple inbound SMTP connections, and decides which +clients may to talk to a Postfix SMTP server process. By keeping +spambots away, postscreen(8) leaves more SMTP server processes +available for legitimate clients, and delays the onset of server +overload conditions.

Credits

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index b24622e01..24fd6b5db 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -2427,8 +2427,9 @@ the SMTP greeting banner, and in bounced mail.

The UNIX system account that owns the Postfix queue and most Postfix -daemon processes. Specify the name of a user account that does -not share a group with other accounts and that owns no other files +daemon processes. Specify the name of an unprivileged user account +that does not share a user or group ID with other accounts, and that +owns no other files or processes on the system. In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index b0489e3dc..81910ced0 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20120520" +#define MAIL_RELEASE_DATE "20120617" #define MAIL_VERSION_NUMBER "2.10" #ifdef SNAPSHOT diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index df3b85320..fa85d6d48 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -6,11 +6,12 @@ /* SYNOPSIS /* \fBpostscreen\fR [generic Postfix daemon options] /* DESCRIPTION -/* The Postfix \fBpostscreen\fR(8) server performs triage on -/* multiple inbound SMTP connections at the same time. While -/* a single \fBpostscreen\fR(8) process keeps spambots away -/* from Postfix SMTP server processes, more Postfix SMTP server -/* processes remain available for legitimate clients. +/* The Postfix \fBpostscreen\fR(8) server provides additional +/* protection against mail server overload. One \fBpostscreen\fR(8) +/* process handles multiple inbound SMTP connections, and decides +/* which clients may talk to a Postfix SMTP server process. +/* By keeping spambots away, \fBpostscreen\fR(8) leaves more +/* SMTP server processes available for legitimate clients. /* /* This program should not be used on SMTP ports that receive /* mail from end-user clients (MUAs). In a typical deployment, @@ -557,7 +558,7 @@ static void psc_drain(char *unused_service, char **unused_argv) * XXX Some Berkeley DB versions break with close-after-fork. Every new * version is an improvement over its predecessor. */ - if (psc_cache_map != 0) { + if (psc_cache_map != 0 /* XXX && psc_cache_map requires locking */) { dict_cache_close(psc_cache_map); psc_cache_map = 0; } diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in index 9f974f57e..ebb11b851 100644 --- a/postfix/src/smtp/Makefile.in +++ b/postfix/src/smtp/Makefile.in @@ -591,6 +591,7 @@ smtp_trouble.o: ../../include/header_body_checks.h smtp_trouble.o: ../../include/header_opts.h smtp_trouble.o: ../../include/htable.h smtp_trouble.o: ../../include/mail_error.h +smtp_trouble.o: ../../include/mail_params.h smtp_trouble.o: ../../include/maps.h smtp_trouble.o: ../../include/match_list.h smtp_trouble.o: ../../include/mime_state.h diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c index 0e7fafd46..4a0c30627 100644 --- a/postfix/src/smtp/smtp_trouble.c +++ b/postfix/src/smtp/smtp_trouble.c @@ -151,6 +151,7 @@ #include #include #include +#include /* Application-specific. */ @@ -190,6 +191,7 @@ static int smtp_bulk_fail(SMTP_STATE *state, int throttle_queue) RECIPIENT *rcpt; int status; int soft_error = (STR(why->status)[0] == '4'); + int soft_bounce_error = (STR(why->status)[0] == '5' && var_soft_bounce); int nrcpt; /* @@ -197,7 +199,8 @@ static int smtp_bulk_fail(SMTP_STATE *state, int throttle_queue) * delivery to a backup server. Just log something informative to show * why we're skipping this host. */ - if (soft_error && (state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) { + if ((soft_error || soft_bounce_error) + && (state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) { msg_info("%s: %s", request->queue_id, STR(why->reason)); for (nrcpt = 0; nrcpt < SMTP_RCPT_LEFT(state); nrcpt++) { rcpt = request->rcpt_list.info + nrcpt; @@ -245,7 +248,8 @@ static int smtp_bulk_fail(SMTP_STATE *state, int throttle_queue) state->status |= status; } if ((state->misc_flags & SMTP_MISC_FLAG_COMPLETE_SESSION) == 0 - && throttle_queue && soft_error && request->hop_status == 0) + && throttle_queue && (soft_error || soft_bounce_error) + && request->hop_status == 0) request->hop_status = DSN_COPY(&why->dsn); } @@ -354,6 +358,7 @@ void smtp_rcpt_fail(SMTP_STATE *state, RECIPIENT *rcpt, const char *mta_name, DSN_BUF *why = state->why; int status; int soft_error; + int soft_bounce_error; va_list ap; /* @@ -369,6 +374,7 @@ void smtp_rcpt_fail(SMTP_STATE *state, RECIPIENT *rcpt, const char *mta_name, vsmtp_fill_dsn(state, mta_name, resp->dsn, resp->str, format, ap); va_end(ap); soft_error = STR(why->status)[0] == '4'; + soft_bounce_error = (STR(why->status)[0] == '5' && var_soft_bounce); if (state->session && mta_name) smtp_check_code(state->session, resp->code); @@ -378,7 +384,8 @@ void smtp_rcpt_fail(SMTP_STATE *state, RECIPIENT *rcpt, const char *mta_name, * for trying other mail servers. Just log something informative to show * why we're skipping this recipient now. */ - if (soft_error && (state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) { + if ((soft_error || soft_bounce_error) + && (state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) { msg_info("%s: %s", request->queue_id, STR(why->reason)); SMTP_RCPT_KEEP(state, rcpt); } diff --git a/postfix/src/smtpstone/qmqp-sink.c b/postfix/src/smtpstone/qmqp-sink.c index f89cd194f..5dac7bca3 100644 --- a/postfix/src/smtpstone/qmqp-sink.c +++ b/postfix/src/smtpstone/qmqp-sink.c @@ -221,6 +221,7 @@ static void connect_event(int unused_event, char *context) non_blocking(fd, NON_BLOCKING); state = (SINK_STATE *) mymalloc(sizeof(*state)); state->stream = vstream_fdopen(fd, O_RDWR); + vstream_tweak_sock(state->stream); netstring_setup(state->stream, var_tmout); event_enable_read(fd, read_length, (char *) state); } diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c index 46eae5c5d..0509e64a7 100644 --- a/postfix/src/smtpstone/smtp-sink.c +++ b/postfix/src/smtpstone/smtp-sink.c @@ -1325,6 +1325,7 @@ static void connect_event(int unused_event, char *unused_context) state->client_addr.buf); non_blocking(fd, NON_BLOCKING); state->stream = vstream_fdopen(fd, O_RDWR); + vstream_tweak_sock(state->stream); state->buffer = vstring_alloc(1024); state->read_fn = command_read; state->data_state = ST_ANY;